On May 25th, 2018, the EU’s General Data Protection Regulation EU 2016/679 (GDPR) takes effect replacing the Data Protection Directive dating back to 1995.

The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The EU GDPR regulation will affect every UK organisation that processes the personal data of EU residents. The fact that the UK has voted to leave the EU should not distract you from the fact that these regulations still apply to any organisation offering any service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not.

So why are so many companies not addressing the new regulations when fines for groups of companies are €20m or 4% of annual worldwide turnover, far greater than the current maximum of £500,000.

Perhaps it's a lack of understanding of what would constitute a 'breach', 'bad data', 'misuse' or simply what needs to be protected?

Let's look at a couple of less obvious examples that fall within the scope of the new EU GDPR regulations to highlight the problem;

  • You're a software company that offers a free trial or download after completing a short sign-up request. When you check the captured details, you notice they are located within the EU.
  • Your company doesn't capture personal data, just data, but someone, unrelated to you, has access to the data and can cross-reference it with open source data such as social media, and can identify an EU citizen.

My advice, don't ignore GDPR because it is not going to solve itself. The effort may seem high but the penalties could be higher. Now is the time to take action to understand the impact of the new regulations on your business and addressing them head on.